Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ASA failover

Hi,

We have two ASA 5520 with failover enabled. Due to the replacement of a wire in the ASA which is active, the standby ASA took over. However, we found out that the VPN connection wasn't available when this ASA was the active one. Which could be the reason?

 

Thanks in advanced.

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Green

Make sure that the

Make sure that the configuration has been completely synchronized.

Also make sure you have configured the stateful failover link, which synchronizes the VPN connection info.

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
19 REPLIES
VIP Green

Make sure that the

Make sure that the configuration has been completely synchronized.

Also make sure you have configured the stateful failover link, which synchronizes the VPN connection info.

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
New Member

Hi, I've just found out that

Hi,

 

I've just found out that the failover is configured as Active/Active. Is it related with the VPN problem? Should it be configured as Active/standby?

 

Thanks.

VIP Green

That output is from show

That output is from show version on the ASA.  That just shows you the capabilities of the ASA and not what is currently configured.  Basically it says that the license you have installed will allow for Active/Active failover.

What type of VPN connection are we talking about (L2L, Remote Access, IPsec, SSL...etc)?

Are both ASAs the same hardware, and software version? do they have the same licenses installed?

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
New Member

The VPN is SSL. Both ASA have

The VPN is SSL.

 

Both ASA have a VPN Plus license and the same version: Cisco Adaptive Security Appliance Software Version 8.0(2), Device Manager Version 6.0(2).

VIP Green

could you post a full running

could you post a full running configuration of your primary ASA and secondary ASA (remove any passwords or public IPs).

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
New Member

Hi,Thanks a lot for your

Hi,

Thanks a lot for your suggestions.

We have been checking the show tech command output to find out that the VPN configuration it's not the same in both ASAs. So my doubt now is, why are the configuration changes made in the active ASA not been transferred to the standby ASA? Apparently, It only affects the VPN configuration as I have added new rules to the ASA today and they also appear in the standby ASA.

 

 

New Member

I enclose a screenshot of the

I enclose a screenshot of the ASDM where the failover is configured, How could I check if the stateful failover link is configured?

VIP Green

That is the secondary ASA,

That is the secondary ASA, all configuration needs to be done on the primary ASA...but it looks as though you need to configure the stateful failover link.

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
New Member

Hi, I check the ASDM Help

Hi,

 

I check the ASDM Help related to configuring failover and it says the following:

 

If you choose the LAN Failover interface, you do not need to specify the Active IP, Subnet Mask, Logical Name, and Standby IP values; the values specified for the LAN Failover interface are used. So my state failover seems to be right.

 

The screenshot attached is the primary ASA. In the help says that:

Preferred Role—Specifies whether the preferred role for this security appliance is as the primary or secondary unit in a LAN failover. Therefore, the ASA is the active one but I have selected secondary as that is the role assumed once it fails and the secondary unit takes over.

       

      Are there other options to check?

       

      Thanks.

      New Member

      Hi, I connect to the

      Hi,

       

      I connect to the secondary ASA. The VPN is configured the same way. However, when I checked the failover configuration I get the warning mesage shown in the screenshot attached. The primary ASA is configured the same way but this warning message is not showed in the primary ASA.

      I would be very grateful If you could help me.

       

      Thanks.

      VIP Green

      Are the two ASAs running the

      Are the two ASAs running the same hardware, software image and licenses?

      The image attached is of your primary/Active firewall...indicated by the selected prefered role <primary>? so you are seeing this error on your primary ASA and not your secondary.

      I would suggest removing the failover configuration and then re-applying it.  You might also want to consider a reload of the ASA after you have removed the failover configuration...if you are able to do so.

      --

      Please remember to select a correct answer and rate helpful posts

      --

      Please remember to rate and select a correct answer
      Hall of Fame Super Gold

      In looking at the screen shot

      In looking at the screen shot it seems pretty clear that LAN failover is configured but that State failover is not configured (there is no active IP address, no backup IP address, etc for State Failover). And not having stateful failover would prevent VPN failover.

       

      But as I read the original post I am not clear exactly what the problem is. Perhaps it is that VPN sessions do not fail over. But when it says that VPN was not available I wonder if it really means that new VPN sessions could not be established. Perhaps the original poster can clarify this.

       

      Also I am not clear whether the problem with VPN is for site to site VPN or is for Remote Access VPN. Perhaps we could get clarification for that as well?

       

      On the possibility that it might be about Remote Access VPN and that it is that new sessions can not be established I will add one suggestion. Be sure that the files used for VPN are present on the disk of the standby ASA. Since the config does get replicated it is easy to assume that the files get replicated also. But that is not the case. You need to manually copy the files into disk on both ASA.

       

      HTH

       

      Rick

      VIP Green

      I agree that the state

      I agree that the state failover does look to be configured.  Which is the reason I requested for the poster to provide the configuration so that we can fill in the gaps.

       

      --

      Please remember to rate and select a correct answer
      New Member

      Thanks for your suggestions

      Thanks for your suggestions.

      We are using Remote Access VPN. The problem is that when the standby ASA takes over it's no possible to connect using VPN. However, We have just found out that the VPN configuration is not the same in our ASAs so that's  the reason why people cannot connect when the standby change to active.

      I don't understand your explanation about state failover. I think it is configured. In fact this information is available in the ASDM help: 

      • Active IP—Specifies the IP address for the Stateful Failover interface on the primary unit. This field is dimmed if the LAN Failover interface or Use Named option is selected in the Interface drop-down list.

      I would say that this explanation fits with my screenshot. However, there must be some problem as the VPN configuration is not replicated in both ASAs although when I add a new rule it is replicated to the standby ASA.

      I don't understand your last explanation about files needed to get the VPN configuration replicated. How can I check if that files are in both ASAs?

       

      Thanks in advance.

         

        VIP Green

        The stateful failover has

        The stateful failover has nothing to do with the configuration replication.  Config is taken care of by the regular failover link.  Statefull failover replicates the established sessions when a failover takes place.  So, if the configurations are not the same on both ASAs then there is either something wrong with the "failover" configuration (not to be confused with stateful failover) or there is a problem with communication between the ASAs on the failover link.  You could try to issue the command write standby on the active ASA and then check to see if the configurations match on the standby unit.

        It would be easier to see if stateful failover is configured in the CLI.  If you could issue the command show run all failover and paste the output here, we could check this for you. I have come across situations where the configuration in the ASDM did not match what was in the CLI...So in my opinion it is always best to double check the CLI for the configuration.

        What is meant by the files that need to be on both ASA is that the anyconnect license, anyconnect software...etc.  These do not get automatically copied over, so you would need to manually install all AnyConnect related files on the standby ASA.

        --

        Please remember to select a correct answer and rate helpful posts

        --

        Please remember to rate and select a correct answer
        New Member

        That's the output of show run

        That's the output of show run all failover:

        failover
        failover lan unit secondary
        failover lan interface failoverinterface Management0/0
        failover link failoverinterface Management0/0
        failover interface ip failoverinterface 10.0.1.1 255.255.255.0 standby 10.0.1.2

        failover
        failover lan unit primary
        failover lan interface failoverinterface Management0/0
        failover link failoverinterface Management0/0
        failover interface ip failoverinterface 10.0.1.1 255.255.255.0 standby 10.0.1.2

         

        Regarding the write standby command, is it safe to run this command in a production environment? 

        Thanks.

        VIP Green

        You are missing the following

        You are missing the following command for stateful failover.

        failover link statelink Management0/0

        write standby is safe to run while in production.  If, however, depending on the size of the configuration, you might experience a slight performance decrease on the link that you use for failover.

        --

        Please remember to select a correct answer and rate helpful posts

        --

        Please remember to rate and select a correct answer
        New Member

        So would adding that command

        So, would adding that command solve the problem with the replication of configuration between ASAs? Should I add it in both ASAs or only in the active one?

        In the sh tech we found out that the primary ASA is in standby whereas the secondary is the active one.

        Thanks.

         

         

                       

                        

        VIP Green

        So, would adding that command

        So, would adding that command solve the problem with the replication of configuration between ASAs?

        I explained this a couple posts ago.  The stateful failover has nothing to do with config replication. Stateful failover only replicates the existing connections that are currently passing through the firewall.

        the failover (not to be confused with stateful failover) is what synchronizes the ASA configuration.

        Should I add it in both ASAs or only in the active one?

        Yes, this command is needs to only be issued on the active ASA, It will be replicated to the standby ASA over the failover link.

        In the sh tech we found out that the primary ASA is in standby whereas the secondary is the active one.

        If there has been a failover situation then this is normal.  The new active ASA will remain as the active ASA until another failover situation occurs or a manual failover is issued.

        If you log into the currently active ASA and issue the following command:

        no failover active

        This will set the current ASA as the standby ASA.

        --

        Please remember to select a correct answer and rate helpful posts

        --

        Please remember to rate and select a correct answer
        508
        Views
        20
        Helpful
        19
        Replies
        CreatePlease to create content